HxHippy

SSH Key Management

Secure SSH key generation, deployment, and management.

Last updated: 2025-01-15

SSH Key Management

Public key authentication is more secure than passwords.

Key Types Comparison

Type Key Size Security Performance
ED25519 256-bit Excellent Fast
RSA 4096-bit Good Slower
ECDSA 256/384/521-bit Good Fast

Recommendation: Use ED25519 for all new keys.

Generate Keys

# Generate ED25519 key
ssh-keygen -t ed25519 -a 100 -C "user@hostname"

# Options:
# -a 100  = 100 KDF rounds (more secure)
# -C      = Comment to identify the key

RSA (Legacy Compatibility)

# Generate RSA 4096-bit key
ssh-keygen -t rsa -b 4096 -o -a 100 -C "user@hostname"

# -b 4096 = 4096-bit key
# -o      = New OpenSSH format

Deploy Keys

ssh-copy-id

# Copy public key to server
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@server

# Verify connection
ssh user@server

Manual Deployment

# On the server
mkdir -p ~/.ssh
chmod 700 ~/.ssh
echo "your-public-key" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

Key Security

Permissions

# Private key - owner read only
chmod 600 ~/.ssh/id_ed25519

# Public key - readable
chmod 644 ~/.ssh/id_ed25519.pub

# SSH directory
chmod 700 ~/.ssh

# authorized_keys
chmod 600 ~/.ssh/authorized_keys

Passphrase Protection

# Add passphrase to existing key
ssh-keygen -p -f ~/.ssh/id_ed25519

# Use ssh-agent to cache passphrase
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519

SSH Config

# ~/.ssh/config
Host production
    HostName prod.example.com
    User deploy
    IdentityFile ~/.ssh/id_ed25519_prod
    IdentitiesOnly yes

Host staging
    HostName staging.example.com
    User deploy
    IdentityFile ~/.ssh/id_ed25519_staging
    IdentitiesOnly yes

# Global defaults
Host *
    AddKeysToAgent yes
    IdentitiesOnly yes
    HashKnownHosts yes
    ServerAliveInterval 60

Key Rotation

# Generate new key
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_new -C "user@hostname-$(date +%Y%m)"

# Add new key to servers while old key still works
ssh-copy-id -i ~/.ssh/id_ed25519_new.pub user@server

# Test new key
ssh -i ~/.ssh/id_ed25519_new user@server

# Remove old key from server's authorized_keys
# Then retire old local key

Certificate-Based SSH

# Create CA key (keep this VERY secure)
ssh-keygen -t ed25519 -f ca_key -C "SSH Certificate Authority"

# Sign user key
ssh-keygen -s ca_key -I user@hostname -n user -V +52w id_ed25519.pub

# On servers, add to sshd_config:
# TrustedUserCAKeys /etc/ssh/ca_key.pub
beginner Authentication Updated 2025-01-15
  • ssh keys
  • ed25519
  • rsa
  • public key
  • authentication